Should banks adopt regulations as best practices?

How banks can improve stress testing by adopting BCBS 239

By Tom Kimner, Head of Global Marketing and Operations, Risk Management, SAS

The regulatory climate

It seems you can’t read an article or watch a news report about banking without seeing something related to a new or expanded banking rule or regulation. Part of the reason for this, some would argue, is that banks haven’t always been particularly good at self-governance – especially when it comes to protecting capital, financial reporting or disclosure (among other things). And since banks can’t seem to govern themselves, regulators and accounting standards boards globally have been increasingly stepping up capital requirements – often using stress testing as the preferred yardstick – as well as developing and strengthening a plethora of committees, rules and regulations.

For example, in April 2015 the Federal Reserve announced a revised governance structure and list of 16 firms to be regulated by the Large Institution Supervision Coordinating Committee (LISCC). These firms, the majority of which are also identified as the top 30 G-SIBs, are supervised or regulated by a virtual alphabet soup of national and international authorities. And the rules and regulations published by these supervisory authorities are often formed based on policy development organizations such as the Financial Stability Oversight Council, the Basel Committee on Banking Supervision and the Financial Stability Board, to name a few.

If institutions are not already adhering to the main BCBS 239 principles as best practices, they run the risk not only of failing regulatory requirements, but also of being left behind competitively.

... And yet more regulations

Additionally, the International Accounts Standards Board (IASB) and the Financial Accounting Standards Board (FASB) have worked together to unveil the IFRS 9 Financial Instruments credit loss standard, as well as a US version for credit impairment based on current expected credit loss (CECL). These rules, while more directed toward accounting and financial reporting, also require enhanced loss modeling, something that has traditionally fallen on the CRO’s plate.

Furthermore, the Basel Committee, after having announced renewed measures for Basel III capital adequacy rules – including liquidity risk ratio calculations and counterparty credit risk measures – has revised its market risk framework to include a Fundamental Review of the Trading Book. Wait, scratch that – with some additional revision in January 2016, it is now referred to as the Minimum Capital Requirements for Market Risk. And why stop with Basell III when it’s possible to introduce Basel IV? Only Hollywood could create more sequels. On top of all the prescribed rules and regulations, the Basel Committee has also published BCBS 239: Principles for effective risk data aggregation and risk reporting,which requires G-SIBs to comply with a set of outlined principles related to risk data management by early 2016. What is interesting about BCBS 239 is that – while it is not specifically quantifiable or measurable – it does lay out what amounts to a very pragmatic set of data governance and reporting best practices for banks to follow.

Can regulations prescribe best practices?

The Basel Committee risk data aggregation and reporting announcement initially came out in 2013 in two parts: 1) the BCBS 239 final document; and 2) the companion survey results of the G-SIBs’ self-assessments of their current state of compliance with 11 principles and the associated 87 requirements. Two additional survey reports have since been published in 2014 and 2015. The committee noted in its December 2015 report that “banks still fall short of full compliance and additional work must be done to meet the intent of the principles.”

What is so special about the BCBS 239 paper with its seemingly straightforward principles focused on data management, IT infrastructure, reporting and governance? Well, one of the critical implications of gaps in risk data that strikes fear into the hearts of executives and boards of firms large and small alike is the inability to deliver accurate stress tests.

The importance of accurate stress testing

Required stress tests are mostly annual exercises (CCAR, DFAST, Bank of England, EBA), but the undercurrent of concern lives on year-round. Regulatory stress testing is growing in momentum, complexity and frequency for domestic and foreign financial services firms of all sizes. And not having well-designed, well-governed quality data has major implications. Failing a stress test can have immediate and detrimental consequences on a firm’s market valuation, cost of capital and reputation. And the downside risks and implications of failing regulatory stress tests not only concern individual banks – they concern the entire banking system. Further, in case of extreme events, banks need accurate data at the right level of detail to make the right decisions. Loss models and regulatory submissions will help to a degree, but they are only as good as the data that goes into them; the BCBS 239 principles may be the key to ensuring a strong data foundation for stress testing and other risk analyses.

What's the missing link?

How should financial services firms ensure that they have and can deliver the correct answers – at the firm level and for each category of risk (market, credit, liquidity)? It’s simple: Implement the BCBS 239 principles and treat them as best practices (e.g., accuracy and integrity, completeness, timeliness, adaptability and usefulness). To put it bluntly, if institutions are not already adhering to the main BCBS 239 principles as best practices, they run the risk not only of failing regulatory requirements, but also of being left behind competitively.

Banks will know they are on track if they can run stress test calculations using many different scenarios, interactively, repeatedly and on-demand, while easily being able to drill down through results to quickly answer regulatory and management questions. SAS addresses these specific needs with comprehensive risk management solutions that cover data management, model development and implementation, results consolidation, reporting and governance capabilities.

It’s wise to use the main principles of BCBS 239 as a guide to develop sound data governance techniques, coupled with risk-aggregation engines that include interactive stress testing and data visualization with reporting technologies. This can improve any bank’s ability to comply with many different regulatory demands and the ever-changing landscape there, as well as provide the foundation for better, more informed business decisions at all levels of the organization. Having the right programs coupled with the right technology and the right data is a best practice that any organization should adopt.

Tom Kimner leads Risk Operations and Pre-sales for SAS Risk Research and Quantitative Solutions. He is responsible for executing the overall risk management strategy by leading and coordinating the division’s marketing and communications functions. Prior to joining SAS, Mr. Kimner spent the bulk of his career at Fannie Mae in various senior management roles spearheading corporate initiatives to more effectively manage credit and financial risk. Mr. Kimner has testified before the Financial Services Committee of the U.S. House of Representatives and regularly speaks at Risk Conferences and other SAS hosted events.